Architecture for an airplane braking system including two computers and capable of withstanding two breakdowns, and a method of managing such an architecture

ABSTRACT

The invention relates to an architecture for a braking system for an airplane fitted with a plurality of undercarriages each carrying a plurality of wheels, at least some of which are fitted with brakes, the architecture comprising at least two braking computers each having two modules such that in each computer, one of the modules controls a first fraction of the brakes and the other module controls a second fraction of the brakes complementary to the first. According to the invention, the architecture is configured to operate in any one of the following modes of operation: a first normal mode in which both modules of one of the braking computers are active for controlling all of the brakes; a second normal mode in which both modules of the other braking computer are active for controlling all of the brakes; and an alternative mode in which one module of one of the braking computers and one module of the other braking computer are active for controlling all of the brakes.

The present invention relates to an architecture for an airplane brakingsystem including two computers and capable of withstanding twobreakdowns, and it also relates to a method of managing such anarchitecture.

BACKGROUND OF THE INVENTION

Brake system architectures are known for airplanes fitted with aplurality of brakes, such architectures including at least two brakingcomputers, each capable of controlling all of the brakes.

Each computer is subdivided into two channels, a first channel beingadapted to control the brakes while a second channel is adapted tomonitor the first channel. If divergence should appear between thechannels in the active computer, then the other computer automaticallytakes over, thus enabling that architecture to withstand a singlebreakdown.

Nevertheless, if a new breakdown were to occur on the second computer,braking using all of the brakes can no longer be guaranteed using thosetwo computers only.

It is then necessary either to accept no braking, or to make do withdegraded braking, or else to provide a third computer.

OBJECT OF THE INVENTION

The invention seeks to provide a braking system architecture providingan improved level of safety, while nevertheless not requiring anadditional computer.

BRIEF DESCRIPTION OF THE INVENTION

The invention provides an architecture for a braking system for anairplane fitted with a plurality of undercarriages each carrying aplurality of wheels, at least some of which are fitted with brakes, thearchitecture comprising at least two-braking computers each having twomodules such that in each computer, one of the modules controls a firstfraction of the brakes and the other module controls a second fractionof the brakes complementary to the first, the architecture beingconfigured to operate in any one of the following modes of operation:

-   -   a first normal mode in which both modules of one of the braking        computers are active for controlling all of the brakes;    -   a second normal mode in which both modules of the other braking        computer are active for controlling all of the brakes; and    -   an alternative mode in which one module of one of the braking        computers and one module of the other braking computer are        active for controlling all of the brakes.

Breakdown configurations can occur in which there are two breakdowns,with one of the modules in each of the braking computers being faulty,each of the faulty modules controlling a fraction of the brakes that iscomplementary to the portion controlled by the other faulty module. Thetwo remaining modules are thus theoretically capable of controllingbraking while using all of the brakes of the airplane.

In the invention, braking is performed using the two modules that aresound, and thus at full capacity since it is still possible to controlall of the brakes of the airplane. The architecture of the inventionthus overcomes the physical grouping of the modules to enablesimultaneous operation of two modules that do not belong to the samebraking computer.

The braking system architecture of the invention is thus capable ofwithstanding at least certain combinations of two breakdowns, whilenevertheless not requiring an additional computer to be used.

In a particular aspect of the invention, the modules include firstmonitoring means configured so that in each mode of operation the twoactive modules monitor each other.

Thus, regardless of whether the active modules belong to the samecomputer or to two different computers, they monitor each other, therebyenabling braking to be performed with all of the brakes and in greatsafety, regardless of the operating mode of the architecture.

Also preferably, each module comprises a first card adapted to generatea braking reference signal, and a second card adapted to generate abraking order for each brake associated with the module by modulatingthe braking reference signal in order to avoid skidding of said brake,the first monitoring means being associated with the first card of eachmodule and being adapted to monitor the first card of the other activemodule.

Also preferably, the first card and the second card in a given moduleinclude second monitoring means configured, when said module is active,to enable the first and second cards to monitor each other.

For this purpose, the first card and the second card preferably includeat least one identical input.

According to another particular aspect of the invention, the brakingsystem architecture is configured also to operate in a degraded mode inwhich only one of the modules of one of the braking computers is active.

This disposition enables braking to be performed using only those brakesthat are associated with the module that is active.

In a preferred configuration of the architecture of the invention, oneof the modules of one of the computers is connected to a first powersupply bus, one of the modules of the other computer is connected to asecond power supply bus, and the other two modules that are intended tobe active together in the alternative mode are connected to a thirdpower supply bus.

In a practical aspect of the invention, each module is configured toperform at least one function other than braking and involving at leastone of the undercarriages of the airplane, such as steering the airplaneor lowering and/or raising the undercarriages.

The invention is also relative to a method of managing such anarchitecture.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be better understood in the light of the followingdescription given with reference to the accompanying drawings, in which:

FIG. 1 is a diagram showing an airplane braking architecture of theinvention; and

FIGS. 2 to 5 show different operating modes of a braking architectureconstituting a particular embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

With reference to FIG. 1, a braking system architecture for an airplanecomprises two braking computers A, B, each comprising respective modulesA1, A2 and B1, B2. In the application described herein, the airplane hastwo main undercarriages, each carrying four braked wheels having theirbrakes referenced respectively 1 to 8. The modules A1 and B1 bothcontrol wheel brakes 1 and 5 of the first undercarriage and wheel brakes4 and 8 of the second undercarriage, while the modules AB and B2 bothcontrol wheel brakes 2 and 6 of the first undercarriage and wheel brakes3 and 7 of the second undercarriage, as shown diagrammatically in thefigure.

In fact, the modules A1, A2, B1, B2 do not control the brakes directly.If the brakes use hydraulic technology, then the modules deliverelectrical signals to servo-valves (one valve per brake) which regulatethe pressure in the brakes as a function of the electrical signals theyreceive. If the brakes are implemented control the current that is fedto the electric motors of the brakes as a function of the electricalsignals they receive. In both cases, the electrical signals delivered bythe modules can be identical, so the architecture shown can be usedequally well for airplanes fitted with hydraulic brakes and forairplanes fitted with electric brakes.

It may be observed that the distribution of the brakes controlled byeach module in a given braking computer is symmetrical, so a suddenfailure of one of the modules will not lead to a swerve in the travel ofan airplane running along a runway.

In normal operation mode, one of the braking computers A and B is activeand thus controls all of the brakes. Which one of the braking computersis active can be selected in various ways that are known per se. Forexample, it is possible to use one of the braking computers on apermanent basis, with the other one being used only in the event of afailure in the computer that is used normally. It is also possible todecide to use the braking computers in alternation, changing the activebraking computer for each flight.

The set of modules A1, A2, B1, B2 receives, over one or morecommunications buses 10, electrical information coming from the airplanecockpit and grouped via one or more concentrators 9. This electricalinformation includes in particular a signal coming from a brakingselector enabling the pilot to indicate whether normal braking underpilot control is required, or automatic braking with programmeddeceleration, or indeed that the airplane should be held stationarywhile parked. There are also electrical signals 11 coming from brakepedals P operated by the pilot.

Assume that the braking computer A is active. If the module A1 shouldfail, then the architecture is configured in conventional manner to handover to braking computer B. This computer is capable of controlling allof the brakes, and thus ensures full-capacity braking. Braking thuscontinues to be provided in a normal braking mode.

If, in a first scenario, the module B1 should fail, then the module B2continues to control half of the brakes (specifically the brakes 2, 3,6, and 7). It is thus possible to continue to provide braking, evenafter two failures, and although the resulting braking is provided byonly half of the brakes. This constitutes a degraded mode of braking.

If, in a second scenario, the module B2 should fail, then, in accordancewith the invention, the architecture is configured to control all of thebrakes by using the modules A2 and B1. With the module A2 controllingthe brakes 2, 3, 6, and 7, and the module B2 controlling the brakes 1,4, 5, and 8, it is possible to control all of the brakes using these twomodules, even though physically said modules are located in twodifferent computers. Thus, this new mode of braking is an alternativemode intermediate between degraded mode and normal mode, enabling all ofthe brakes to be controlled even though neither computer is fullyactive.

In order to add additional safety, the modules A2 and B1 receive thepedal signals 11 directly, thus making it possible, in the event of afailure of the communications bus 10, to continue braking the airplaneas a function of indications from the pilot, given via the pedals.

If, following the second scenario, the module B1 should also fail, thenit still remains possible using the module A2 to perform braking usinghalf of the brakes. This is a return to the degraded mode of operation.

Alternatively, if the module A2 should fail, the module B1 would remainactive, thus allowing braking to be performed using half of the brakes.

With the general principle of the invention described above, a preferredembodiment of the invention is described below with reference to FIGS. 2to 5.

As can be seen in FIG. 5, and as explained, the architecture comprisestwo computers A and B each of which is subdivided into two modulesrespectively referenced A1, A2 and B1, B2. In this case, only thecomputer A is active in controlling all of the brakes.

In this case, each of the modules comprises a first electronics card,referred to herein as the low speed card BV suitable for generating abraking reference signal. For this purpose, the card BV has a pluralityof inputs such as the pedal signal 11 of FIG. 1, or an auto-brakesignal.

Each of the modules also has a second electronics card, referred to asthe high speed card HV, adapted to generate control orders for theactuators (servo-valves for hydraulic brakes, electric motors forelectric brakes) associated with the brakes controlled by said module.For this purpose, the HV card modulates the braking reference signalgenerated by the corresponding low speed card BV so as to avoid thewheels skidding during braking (with this applying, naturally, only tothose braked wheels that are under the control of the module). For thispurpose, the card HV has various inputs coming from various sensors(wheel rotation, pressure in circuits) associated with the braked wheelsand with the brakes, enabling such modulation to be established.

The processor of the card HV is a processor adapted to operating at ahigher speed than is the processor of the card BV, since the brakingreference signal must be modulated in real time as a function ofinstantaneous information about the behavior of the wheels and thebrakes. This difference in the speeds of the processors of the card BVand of the card HV explains why the cards are referred to as low speedand high speed.

The module A1 is powered by a first power supply bus PW1 associated withgenerators driven by the engines of the airplane. The module B2 ispowered by a second power supply bus PW2 that is independent of thefirst power supply bus PW1, and that is associated with other generatorsdriven by the engines of the airplane. The modules A2 and B1 are poweredby a third power supply bus PWEss, independent of the power supply busesPW1 and PW2 and associated firstly with an auxiliary generator that isnot driven by the engines of the airplane and secondly by a directcurrent (DC) source, such as batteries. It should be observed that asingle breakdown in any one of the electricity sources of the powersupply bus PWEss does not lead to a loss of the power supply bus PWEss.

Thus, a single breakdown affecting the power supply buses (loss of thebus PW1, loss of the bus PW2, or loss of one of the electricity sourcesof the bus PWEss) leads to the loss of only one of the four modules atthe most.

For reasons of clarity, the power supplies shown in FIG. 2 are notreproduced in the following figures.

In order to improve braking safety, monitoring is organized between thecards or the modules in the same computer as follows:

-   -   the cards BV of modules A1 and A2 are adapted to monitor each        other, e.g. by the processor on one of the cards BV running        routines to verify proper operation of the other card BV, and        vice versa, and also by making comparisons (in the software or        using logic gates) on a regular basis between the braking        reference signal generated by one of the cards BV and the        braking reference signal generated by the other card BV. This        monitoring is represented by an arrow between the cards BV of        the modules A1 and A2; and    -   in each module, the cards HV and BV monitor each other, so that        the processor on one of the cards verifies that the processor on        the other card is operating properly. This monitoring is        symbolized by an arrow between the card BV and the card HV in        each module.

Assume that the module A1 fails, either because the power supply bus PW1has failed or because one of the cards in the module A1 detects afailure of the other card.

Then, as explained above, the computer A is deactivated and the secondcomputer B takes over, as shown in FIG. 3, where the failed module A1 iscrossed out.

The computer B is of the same structure as the computer A and operatesin the same manner. The arrows represent the various monitoringoperations performed firstly between the cards BV of the modules B1 andB2, and secondly between the card BV and the card HV in each of themodules B1 and B2.

Assume that the module B2 fails, either because the power supply bus PW2has failed, or because a divergence has been detected between the cardsBV and HV.

The architecture is then organized to operate by means of the module A2in computer A and the module B1 in computer B, as shown in FIG. 4 wherethe failed module B2 is crossed out. In each of the modules A2 and B1,the cards HV and BV continue to monitor each other. In the invention,the cards BV of the modules A2 and B1 are also adapted to monitor eachother, even though the modules do not form parts of the same computer.

Finally, in the event of the module B1 failing, then only the module A2remains active and can serve to control only half of the brakes, asshown in FIG. 5, where the failed module B1 is crossed out.

In this respect, and in order to ensure a level of monitoring betweenthe card BV and the card HV that exceeds mere checking for properoperation of the processors, at least one of the inputs of the card BVnecessary for calculating the braking reference signal is duplicated atthe card HV. For example, in this case the electrical signal 11 comingfrom the pedals P and forming one of the inputs to the card BV is shownsymbolically as is an input of that signal to the card HV, therebyenabling the card HV itself to proceed with its own verification of thecalculations performed by the card BV on the basis of said signal. Thisdisposition enables braking safety to be increased in the degraded modeof operation when only one of the modules is active. Preferably, thisduplication is performed on each of the modules.

The architecture of the invention thus makes it possible in the event ofa single breakdown (switchover from normal mode operation of computer Ato normal mode operation of computer B), or in the event of twobreakdowns (switchover to alternative mode A2/B1), to continue providingbraking using all of the brakes and while continuing to provide a highlevel of safety.

In comparison with a conventional type of architecture in which eachcomputer has a first channel controlling of the braked wheels and asecond channel monitoring the first channel, in order to obtain the samelevel of safety, it is necessary to use three computers, which ispenalizing in terms of weight, of cost, maintenance, and complexity ofoperation.

In the event of three breakdowns (switching over to degraded mode A2alone), the architecture of the invention still enables braking to beperformed in degraded mode, using only one module and only half thewheels.

There remains an ultimate degraded mode which consists in braking theairplane by means of the parking brake.

In a particular aspect of the invention, the cards BV of the modules areconfigured to perform functions other than braking proper, such aslowering the undercarriages, or steering the airplane on the ground.These functions are generally considered as being less critical than thebraking function. It can then be acceptable to omit organizingmonitoring between the modules A2 and B1 (during operation of the kindshown in FIG. 4) in respect of these functions. Once such monitoring isnot performed, these functions are preferably performed by other means,so as to guarantee sufficient operating safety. For example, loweringthe undercarriages may be guaranteed merely by gravity, whereas steeringthe airplane on the ground may be provided by differential braking.

The invention is not limited to the particular embodiment describedabove, but on the contrary covers any variant coming within the ambit ofthe invention as defined by the claims.

In particular, although the embodiment described herein favors commonoperation of modules A2 and B1, it is possible in symmetrical manner toprovide for common operation of the modules A1 and B2. Similarly, it ispossible to provide degraded mode operation with the modules A2 or B1.

Finally, although the braking architecture of the invention is shown asbeing applied to an airplane having two main undercarriages each havingfour braked wheels, the same architecture can naturally be applied toother configurations, for example an airplane having two main wingundercarriages and one or two main fuselage undercarriages. It is thenpossible to devise various schemes for controlling the brakes by meansof the modules. For example, it is possible to envisage that the modulesA1 and B1 control the brakes of the wing undercarriages while themodules A2 and B2 control the brakes of the fuselage undercarriages.

1. An architecture for a braking system for an airplane fitted with aplurality of undercarriages each carrying a plurality of wheels, atleast some of which are fitted with brakes, the architecture comprisingat least two braking computers each having two modules such that in eachcomputer, one of the modules controls a first fraction of the brakes andthe other module controls a second fraction of the brakes complementaryto the first, the architecture being configured to operate in any one ofthe following modes of operation: a first normal mode in which bothmodules of one of the braking computers are active for controlling allof the brakes; a second normal mode in which both modules of the otherbraking computer are active for controlling all of the brakes; and analternative mode in which one module of one of the braking computers andone module of the other braking computer are active for controlling allof the brakes.
 2. A braking system architecture according to claim 1,wherein the modules include first monitoring means configured so that ineach mode of operation the two active modules monitor each other.
 3. Abraking system architecture according to claim 2, wherein each modulecomprises a first card adapted to generate a braking reference signal,and a second card adapted to generate a braking order for each brakeassociated with the module by modulating the braking reference signal inorder to avoid skidding of said brake, the first monitoring means beingassociated with the first card of each module and being adapted tomonitor the first card of the other active module.
 4. A braking systemarchitecture according to claim 3, wherein the first card and the secondcard in a given module include second monitoring means configured, whensaid module is active, to enable the first and second cards to monitoreach other.
 5. A braking system architecture according to claim 4,wherein the first card and the second card include at least oneidentical input.
 6. A braking system architecture according to claim 1,the architecture being configured also to operate in a degraded mode inwhich only one of the modules of one of the braking computers is active.7. A braking system architecture according to claim 1, wherein one ofthe modules of one of the computers is connected to a first power supplybus, one of the modules of the other computer is connected to a secondpower supply bus, and the other two modules that are intended to beactive together in the alternative mode are connected to a third powersupply bus.
 8. A braking system architecture according to claim 1,wherein each module is configured to perform at least one function otherthan braking and involving at least one of the undercarriages of theairplane, such as steering the airplane or lowering and/or raising theundercarriages.
 9. A method of managing a braking system architecturefor an airplane fitted with a plurality of brakes, the architecturecomprising at least two braking computers each comprising two modulessuch that in each computer, one of the modules controls a first fractionof the brakes, and the other module controls a second fraction of thebrakes complementary to the first, the method including the step ofcausing two modules each belonging to a different one of the brakingcomputers to operate simultaneously for controlling all of the pluralityof brakes.
 10. A method according to claim 9, wherein the two modulesoperating simultaneously monitor each other while they are operatingsimultaneously.